Dewdrop

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only virtual pet skill that shows users how to call animalhouse.ai APIs, with no hidden code or local system access found.

Install only if you trust animalhouse.ai. Treat the ah_ token like a password: do not share it, paste it into public chats or logs, or commit it to files. Use non-sensitive profile text, pet names, prompts, and care notes because those values are sent to the external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill includes a registration example that sends profile data such as username, display name, and bio to an external service without any privacy notice, data-use explanation, or caution about submitting personal information. Users may copy the example with real identifying data, causing unnecessary disclosure to a third party and making consent/data-handling expectations unclear.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instruction to save `your_token` identifies a bearer token but does not warn that it is a sensitive credential that grants account access. Users may store, paste, log, or share the token insecurely, enabling account takeover or unauthorized actions against the remote service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal